At this point, nobody knows the total extent of the data stolen, but stories are emerging that indicate just about everything that could be accessed was accessed. Sony admits that information such as names, addresses, passwords, and security questions have all been accessed by an unauthorized third party. They have also not completely ruled out the possibility that credit card data has been stolen as well.

It seems the situation has turned from a mere inconvenience to PSN users into a full-blown security and PR nightmare. After a breach like this with so many questions left unanswered, and the gaming network rendered completely useless, we have to ask:

When everything is “fixed” and back to normal, what could Sony possibly do to regain your trust?

Ars Technica just posted a story saying that yes, all the credit card data has also been compromised (eg. people are reporting fraudulent charges on preloaded credit cards that they only ever used for PSN purchases). So if you have a PSN account, keep a close eye on your credit cards or just cancel them outright.

This is definitely one of the more appalling security breaches in the last couple of years. At least when Gawker etc. got hacked they didn’t have stored credit card information…

I think it has to be said that if the target of the hack was to steal credit card details then it most likely won’t be the hackers who just wanted to gain access to the PS3 to run their own software, so PS3 gamers shouldn’t start throwing accusations at the homebrew / piracy crowd for this outage.

and incidentally, I don’t think Sony could do anything to regain my trust except maybe divesting themselves of their entire record/film division and going back to just manufacturing electronics. Really, every stupid thing Sony’s done in the last decade or two can be traced to some kind of BS from the rights-management divisions. I guarantee you their hardware engineers aren’t sitting around thinking “let’s invent a new audio compression format that isn’t compatible with anything” or “let’s make this music CD put a rootkit on your computer.”

I’ve never been a sony fan… I think they started their slide with the failure of the minidisc… that was the point where the lawyers and executives stopped thinking what was best for the consumer, and just assumed the problem was with the consumer when they didn’t buy sony products.

I know lots of people that are only really supporting sony because of their game systems, curious to see how badly this snafu will screw them over.

Sony will never have my trust, nor will any company. Their goal is profit. And if it means you can’t do what you want with the stuff you buy from them, then they will do that. If this was a protest and not just some guy stealing shit, I’m all for it.

Sony had it coming …the crappy consoles…the DRM every where and the poor support for the alternate OS on the consoles added up to a lot of mistrust plus this real gem …the break in of their network’s servers ..and.. not telling any one till it is literally too late to do any thing meaningful about it. cannot blame this on the reverse engineers legal or not …I stopped using Sony products ages ago for obvious hacker unfriendly reasons hardware and software alike.

“what could Sony possibly do to regain your trust?”. Nothing. The enormity of this incident only caps off a downward spiral of inanity that Sony has been pursuing. Unfortunately, in the long term, this won’t hurt them. They’ll attempt some sort of spin, and by next year, people will forget. Such is the life of the sheeple.

While I generally don’t have an issue with a company making money, Sony’s business practices are simply narrow-minded and deplorable. I stopped buying their products as soon as it was reviled that they were installing rootkits as part of their DRM. You really have to question a company when their President actually says to a reporter, “Most people, I think, don’t even know what a rootkit is, so why should they care about it?”

I understand wanting to protect their assets (and profits) from piracy but when you instantly assume your customers are thieves, that’s just going to take you down the wrong path. The worst thing about them getting compromised is how it’s going to affect the individuals who (used to) subscribe to their service — I feel sorry for them.

Who doesn’t have DRM everywhere these days? Lets not single Sony out here for something literally everyone is doing.

>>and the poor support for the alternate OS

Here we go, you’re trying to make out that removing Other OS caused this opposed to someone looking to make profit by stealing CC details.. oh dear oh dear.

>>on the consoles added up to a lot
>>of mistrust plus this real gem

Really? You don’t think this is somehow to do with the fact that if you have lots of CC numbers and personal details to go with them you can make lots of money? You think this all boils down to the removal of a feature less than 0.1% of their customers used?

>>not telling any one till it is
>>literally too late

How do they tell you there has been a break in and the extent of said break in before they A: know there has been a break in B: know what the extent of said break in was. I’m sure you know the future and can release press released before the events have actually happened but I’m afraid people like yourself are very rare.

>>to do any thing meaningful about it.

What could you do? By the time Sony know of the issue it was already too late for you to do anything.

>>cannot blame this on the reverse engineers

They don’t even come into this unless they were involved in the break in.

GOOD JOB OLD BOY! You want a medal for that?
Please tell all of us the brand of consumer goods you buy.. you know they company that has no problem with you breaking their security systems (valid or not), redistributing their IP etc..

To regain my trust? well seeing as all that my PSN account had was the ability to play netflix movies on my PS3, it shouldn’t take much.

As for not buying Sony again, I’d like to say I bought mine to play gran-turismo 5. At the time I bought it, it was expected to be a PS3 only title. In my defense, the only other option would be the Xbox360, made by Microsoft. They have my trust even less than Sony.

I agree with fred, as much as I’d like to see Sony crash and burn, I don’t think this will do it. They’ll say it was someone who worked for them and already had *some sort* of access to their networks, then quit on bad terms and hacked them.

I am a huge fan of the person who did this, because they pointed out that while Sony can update their consoles and be greedy, they can’t protect themselves from everyone.

@macw: au contraire. I have a friend who used to work in R&D at Sony and that really is what they did all day. They genuinely believe that ATRAC is superior to everything else out there. You have to concede their MP3 players do actually sound much better than anything i-prefixed.

>>Who doesn’t have DRM everywhere these days? Lets not single Sony out here for something literally everyone is doing.

Do you not recall how Sony’s DRM rootkits your Windows box and lets anyone (blackhats) take advantage of that newly created vulnerability? Also, they didn’t provide a way to remove it AND denied that it existed until they were sued over it.

>>What could you do? By the time Sony know of the issue it was already too late for you to do anything.

Cancel credit cards before they get used. Now with reports of charges, people already have to deal with their CC companies. Sony could have said from the beginning “CANCEL YOUR CARDS!”.. instead they chose to hide it.

Now come on, what did Sony do for you that makes you such a loyal fanboy?

The company that distributed the rootkits being Sony BGM not Sony Computer Entertainment. Two different companies. If you want to blame related companies (same money involved) for another companies wrong doing.. you basically need to avoid Japanese companies as the same money is involved in like 99.9% of all the big companies.

@cantido
“Sony BMG Music Entertainment is a recorded music company, which was a 50–50 joint venture between the Sony Corporation of America and Bertelsmann AG”
From wikipedia.

Being that Bertelsmann AG is a music company, I’d be willing to bet that Sony was employed to create the DRM. Sony manufactures CD media and is a computer company, which would handle that end of business in such a deal, no reason for the music company to do it. They simply licensed the titles to Sony BMG.

Ok, so you hate Sony BGM.. but why do you use software with known exploits that the vendor refuses to fix or takes months to do so?
Lets turn this the other way around.. why does Microsoft not fix exploits that allow malware in and to remain hidden?

>>they didn’t provide a way to remove it

*they* being Sony BGM.

>>Cancel credit cards before they get used.

Ok, so how do I tell you credit card data has been stolen before I know its been stolen?

>>Now with reports of charges, people
>>already have to deal with their CC companies.

Which is all insured, if any charges have happened people will get their money back. I have had money disappear from my credit and debit cards and have gotten it back. Its annoying but they only people that will end up out of pocket with this are SCE.

>>Sony could have said from the beginning
>>“CANCEL YOUR CARDS!”

And then if it turned out no data was stolen you would be here complaining that you cancelled your card for no reason.

>>Sony

Well, for a start Sony is a massive umbrella over a ton of different companies

>>fanboy?

You do make me laugh.. I can see you thought process; I don’t agree with you thus you need some way of invalidating what I have written, you can’t think of anything to actually counter what I have written so you need something else.. so you decide that if you can label me as a shill that’ll make what I have written invalid.

@cantido
If you had bothered to read my other posts instead of just babbling about Sony vs Sony BMG, you’d realize why my first post is credible.

Also, when (Visa, Mastercard, Amex) cancel a stolen card, they can give you the same card number with a new expiry and new CVV2 code, so it’s really not too inconvenient for the consumer. I’d rather have a new CVV2 and expiry to memorize than have to fight my card company for my money back.

Lastly can I show you the problem with how you reply to posts?

>>Lets turn this the other way around..
Okay, lets do so.

>>label me as a shill that’ll make what I have written invalid.
Interesting. I see your point and agree with it, that will make what you have written invalid.

See what I did there? Taking things out of context and replying so you have no way to make a retort.

I’m not picking on you because we disagree, I am doing it because you disagree in a negative way and it is an annoyance to those who want to have a civilized conversation.

Well since links in comments require moderator approval, figured I try to post this in plain text. There is a pastebin of the conversation between some of the people behind this.
pastebin [dot] com [slash] m0ZxsjAb

Sony really dropped the ball on security, you can’t blame hackers for taking advantage of such an easy target.

>>Here we go, you’re trying to make out that >>removing Other OS caused this opposed to someone >>looking to make profit by stealing CC details.. >>oh dear oh dear.

If you actually take the time to READ what the person you were quoting had said, he was not suggesting that the removal of the Other OS feature was related to this break-in, he was merely pointing out a list of less-than-clever business moves from Sony.

As a side point, simply because YOU do not run Windows does not make the the rootkit incident any less deplorable. It is neither here nor there. Please remove yourself from your high horse, it is unbecoming.

>>I’d rather have a new CVV2 and expiry to
>>memorize than have to fight my card company
>>for my money back.

As long as you can prove the money was taken without your knowledge it’s very simple to get the money back and in a lot of cases you can get the money back even if you did the transaction. One company I worked for had a whole department to handle “charge backs” where customers buy something (usually virtual items, like poker chips or something) have buyers regret.. or with online gambling; don’t win anything and then call their card company and have the money charged back. I’ve worked at places that were PCI compliant yet had unlocked cupboard with stacks of print outs of CC number and addresses..

>>Lastly can I show you the problem with
>>how you reply to posts?

Only if I can show you yours.

You are basically saying I should hate Sony SCE for this root kit thing.. while I agree that was a bad thing I’m not going to go over the top and bring it up all the time whenever the word Sony is written somewhere on the internet. I’m also not going to try to use it as an explanation for why this has happened when anyone with half a clue can see that anyone that is going to risk something this big is doing it for the money.. If they are doing it as some crusade against rootkits and removal of OtherOS they are pretty stupid especially since there seems to be credit card fraud involved now.

>I’m not picking on you because we disagree

Ok, so now we don’t disagree, yet I’m a fanboy etc .. so we must disagree on something?

>>civilized conversation.

Ok, so, “SONY ARE THE EVILS!!” is sensible? Trying to make out that is was to do with DRM on 50 CDs that were recalled and issued by a different company or that it was to do with OtherOS being removed opposed to gaining access to a large stash of CC numbers and addresses is sensible? And I wasn’t being “negative”. Maybe you perceived me basically saying “That is total and utter bullshit” as being “negative”.. but wouldn’t all the “OH NOES ROOT KIT ON MY CD!” people also be classed as negative in your opinion classification scheme?

I’ll tell you what; Fony will never have my trust after stealing functionality that I paid for. Now there’s the possibility that my personal data is compromised AND everyone else gets to suffer w/o the PSN as I have for wanting to run other OS. F.off, Sony. Taste your own medicine.

The problem is that Sony has gotten way to big for their own egos. This is not too big a deal.. it happens to all big companies and for them is mostly a result of their actions against Geohot and others like him. Plus their bogus TOS and other BS.

The biggest issue here is their lack of admitting the problem and trying to hide that fact from the consumer, who needed that critical time to close accounts and what not. So all they did by not telling anybody what really happened for so long was to basically say, “you as a customer mean nothing to us!” THAT IS THE WORST ANY COMPANY CAN DO.

Cantido, go elsewhere with your atacky mctackersonness. You’re arguments don’t make sense and you repeat yourself. I’m going to let you know now that I don’t care about you have to say to this. Your opinion means nothing to me, and after your baby D rant, I’m sure that others feel the same.

What can Sony Computer/ BMG ETC .. do to regain any kind of trust… renaming itself to Microsoft might work… Right now Microsoft has better name then Sony. Naw… OtherOS support re-implemented but with GameOS Privs… Naw.. already got that .. Ya know that Sony trying to regain trust is like trying to make a good case for Charles Manson being released on parole… It would be easier to make Common sense … well Common…

wow, sony rocks sony sucks is all i have been seeing. how about a little less bitching about the pros and cons of Sony and more about why this happened. could this be a retaliation of its blackhat users for making George Hotz a martyr? Perhaps we could get a better idea of who the culprits are if we could find out what was bought? All i can say to the people who had their information stolen is that i DO NOT pitty you. you placed your trust in the hands of a company that is known for cutting corners where they shouldn’t, and make life more difficult for their consumers. Either way I look at it, if you’re a sony customer, you will lose by the hands of a criminal corporate or otherwise.

>>As long as you can prove the money was taken without your knowledge it’s very simple to get the money back and in a lot of cases you can get the money back even if you did the transaction.

That is not the point. It’s easy to do a lot of things, but it’s still a waste of time and energy that Sony could have prevented by taking proper action.
If I back into your car, it’s still damaged and needs repair. Even if insurance covers it, you still have to go through the process. If I had just checked my mirror before backing up, you’d be fine.

>>You are basically saying I should hate Sony SCE for this root kit thing.. while I agree that was a bad thing I’m not going to go over the top and bring it up all the time whenever the word Sony is written somewhere on the internet.

I am ‘basically saying’ that they have screwed up in the past(and citing a source of information regarding that screw up), which is why they already have no rapport with me as a consumer. I’m not sure where the rest of your assumption comes in, but I am not saying ‘that’ at all.

>>Ok, so now we don’t disagree, yet I’m a fanboy etc .. so we must disagree on something?

We still disagree. I think you misunderstand the fact that I’m playing devil’s advocate against Sony here and you are not.
Also you may not see how I use the word fanboy. Allow me to define it in this context: You have no affiliation with Sony/Sony BMG as far as I know, but you insist on protecting their reputation against the well-deserved negative commentary of HaD readers. Therefore I say ‘fanboy’ as a way of questioning your motives (eg. Are you a PR rep for Sony? Does a family member work for Sony? — What is the impetus to fight a battle for a company that just let tons of customers’ information become compromised?)

>>or that it was to do with OtherOS being removed

Notice how I never mentioned OtherOS or OtherThings that are irrelevant to this discussion?

>>And I wasn’t being “negative”. Maybe you perceived me basically saying “That is total and utter bullshit” as being “negative”.. but wouldn’t all the “OH NOES ROOT KIT ON MY CD!” people also be classed as negative in your opinion classification scheme?

Yes, everything wrong with you and your posts must simply be my perception. You are obviously infallible and you’d never do something like making a “negative” comment.

all because they got scared hackers would hack the Ps3 via the other os option. sony, you did this to yourself. It was the fact your system CAN run linux was why it was never really hacked before. you need to fire (kill off) your legal department.

Regardless of the differences between Sony BMG, Sony Corporation, and whoever else there is, I’m seriously beginning to wonder how closely associated these Sony companies are, and how much any of them value security, vs. how they value obscurity/proprietary.

How could they gain my trust back? Fire their entire executive board, replace it with entirely new people that have a good history (according to techies), hire a large number of security experts, show the world that they ramped up there Quality Assurance process to be more stringent (especially in security), and release some products with good software (especially according to hackers) for at least ten years straight.

I’m pretty certain I’d at least be willing to give Sony the time of day if they did all that, which has not been the case since BMG’s Rootkit fiasco.

In case I didn’t make it clear: I know that BMG is not the same company that did the PS3 and PSN. I don’t care.

Sony doesn’t have to do much to “regain my trust”. I use one-time codes for credit card info, and rely on my own measures (switching passwords, those one-time codes, etc) for security. A big company like this is bound to get targeted, and is also bound to (eventually) have their security hacked. Patch things up, increase security, and finger the person(s) that did it. That’s really all I could ever want.Now having PSN up would be nice, but I can live without for a few days.

@Spork
Stop wasting your time on cantido, he’s part of Sony’s spin team. I can dig up previous dirt, if you’d like.

The only thing I can think of that Sony could do to regain my trust at this point would be to declare bankruptcy, shatter the company by division, and sell the pieces off to smaller companies.

I’ve always been a fan of Sony hardware. I still own a PS2 and a hacked PSP. I own two Dualshock 3 controllers, which I use fairly regularly for playing games on my PC, one of which is the target for a mod project I have in the works. My E-Reader of choice is a Sony Reader Pocket Edition, specifically because it lacks the ability to phone home like the Kindle and Nook. Their engineers are clearly skilled.

You may perhaps note that the Playstation 3 is absent from the list of items I mentioned. The day PSN returns to functionality will be a sad day for me, because it will mean an end to the financial drain that repairs are causing.

My grudge actually is due to OtherOS and their response to GeoHot.(who once again, if I had the money, I would give him $250k and tell him he can only use it to pay fines incurred by deliberately violating Sony’s EULA again.)

All i want to do is play some games online with friends in other states. At least give us game servers, and netflix back. Hell even leave purchased content disabled, just give us what we online gaming.